Hunting for Suspicious DNS Communications

Introduction Adversaries are continuously developing techniques to reduce the detection rate of their malicious activities on an enterprise network; for example, they utilize stenography for data exfiltration, malicious software delivery, and covert C2 communications. This article provides an overview on detecting and hunting suspicious DNS connections in an enterprise network. Requirements In order to be… Continue reading

Establishing an encrypted communication channel over HTTP

In my previous article “Establishing a secure communication channel over HTTP” , I introduced a demo on how to exchange encrypted information over the HTTP protocol using RSA & AES algorithms. This article provides an introduction to how to make encrypted communications between two endpoints over HTTP. The goal is to transmit data securely from… Continue reading

SharpSpray | Active Directory Password Spraying Tool

SharpSpray is a Windows domain password spraying tool written in .NET C#. SharpSpray is a C# port of DomainPasswordSpray with enhanced and extra capabilities. This tool uses LDAP Protocol to communicate with the Domain active directory services. Features Can operate from inside and outside a domain context. Exclude domain disabled accounts from the spraying. Auto… Continue reading

SharpStrike | Post-exploitation tool | CIM & WMI Inside

Introduction SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session. This project is a rewrite and expansion on @Matt_Grandy_ CIMplant & @christruncer WMImplant SharpStrike allows you to gather data about a remote system, execute commands, exfiltrate… Continue reading

Microsoft Exchange Password Spraying

Introduction Password Spraying is a technique attackers leverage to guess the passwords of accounts by trying a small number of highly common passwords against a large number of accounts while also staying below an organization’s defined lockout threshold. This allows an attacker to compromise accounts without any elevated privileges and masking themselves from detection by… Continue reading